Chavez, James R. wrote: > Howard, Thank you for the insight..I have seen your posts on other > mailing lists and will definitely take what you said into consideration. > I will look to implement chaining soon. However is it possible to > implement chaining over SSL using simple authentication and not > certificate based authentication? I believe I had read it was not but I > may be mistaken. > Yes. You can set up any sort of SSL without requiring cert based auth. > And since you posted let me ask you this..Is it possible to extend the > FDS schema to include the yast.schema extension that OpenLDAP contains > in the SUSE OpenLDAP package. I am looking for the "susegrouptemplate" > object class and such. > Yes - see http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration > > Thank you again > James > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard > Chu > Sent: Tuesday, February 03, 2009 1:49 PM > To: fedora-directory-users at redhat.com > Subject: RE: Updating Consumer replica > failsreferralto the master from the console. > > > >> Date: Mon, 2 Feb 2009 13:26:18 -0800 >> From: "Chavez, James R."<james.chavez at sanmina-sci.com> >> > > >> Hi Rich, >> Thank you for your previous response..The answer was actually embedded >> > > >> within your statement I believe. >> >> "This is a problem in general with some older clients that do not know >> > > >> how to properly follow LDAPv3 referrals" >> >> I used the mozldap ldapmodify tool and it worked to update entries >> that I point at the consumer. I would have never guessed the openldap >> > > >> tool would not follow LDAPv3 referrals. Maybe a switch I missed or >> > something. > >> Thanks again for your suggestion. >> > > The automatic referral chasing code in OpenLDAP's command line tools was > deprecated years ago. It's a security vulnerability: most of the time it > will hand your username and plaintext password to any arbitrary server > without any warning. > > Referrals are a gross flaw in the design of LDAP and should not be used. > > Distributed servers should use chaining to hide this detail from > clients. > Clients are not in any position to know whether or to what degree to > trust the referred server, or what authentication domain or credentials > are relevant on the referred server. Only the server admin knows these > details; putting these decisions at the client is wrong. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090203/7517ac03/attachment.bin
